SCA on Owner users
Mangopay started communicating by email about SCA on Owners during February 2025. Your platform will be required to complete the necessary integrations, with specific deadlines communicated during the year.
For any questions, please contact our teams via the Dashboard.
Mangopay is implementing strong customer authentication (SCA) on your platform’s users to enhance security and to comply with European regulations (PSD2) as a regulated EMI. The same regulations are behind 3DS authentication applied to card payments or alternative requirements for other payment methods.
SCA is a form of multi-factor authentication (MFA, also 2FA), where a user authenticates using evidence of different categories (knowledge, possession, and inherence).
Scope
Note – SCA applies to users Owner only
Mangopay’s SCA feature will only apply to users categorized as Owner, because these users are subject to Mangopay’s T&Cs and as such hold a Mangopay account.
Users categorized as Payers will not be affected by Mangopay’s SCA.
SCA requires the Owner user to authenticate with Mangopay directly as they are the Mangopay account holder.
For Natural users, enrollment of the OTP factor is available to integrate, requiring the individual’s PhoneNumber and Email.
For Legal users, enrollment of the OTP factor is available to integrate for Soletraders. The individual’s phone number and email must be provided in LegalRepresentative.PhoneNumber and LegalRepresentative.Email and they must authenticate.
In future, Mangopay will provide features to allow the other types of Legal user (Business, Organization, Partnership) to designate additional authorized individuals who can complete SCA on behalf of the entity.
What your platform needs to do
Your platform needs to integrate the new user endpoints to handle SCA in the following scenarios for Owner users.
The dedicated enrollment guides linked below provide a step-by-step walkthrough of each case:
| Action | Guide | |
|---|---|---|
1 | Enrollment of new Owners (Natural and Legal Soletraders) users using OTP authentication when you register them for the first time (at user creation) | |
2 | Enrollment of Owners (Natural and Legal Soletraders) users using OTP authentication when they transition from a Payer (on categorization) | |
3 | Enrollment of all existing Owners (Natural and Legal Soletraders) users in OTP authentication | |
4 | Re-enrollment of Owners (Natural and Legal Soletraders) users when they change the phone number or email. |
In all cases, to enroll the user your platform must redirect the individual to a Mangopay-hosted webpage. The redirection URL for the SCA session is returned by the Mangopay API in the response property PendingUserAction.RedirectUrl. Before redirecting, you need to define, encode, and append a returnUrl to which the session returns the user afterwards (whatever the outcome).
See the SCA session guide for details on this redirection process. Mangopay will use the same mechanism for all SCA-related features, both enrollment and authentication of planned features.
Best practice – Anticipate integration
Your platform will be required to complete additional integration during 2025 as Mangopay releases new SCA-related features.
More details about Mangopay’s planned features for SCA-controlled actions are listed in the table below.
Factors
Mangopay is providing the following authentication factors.
| Availability | Factor | Description | Type |
|---|---|---|---|
Available | Phone-based one-time passcode (OTP) | The user provides and authenticates (that is, enrolls) their device and then, to authenticate an action, receives an SMS OTP and provides it to Mangopay. | Possession |
Planned | Personal identification number (PIN) | The user defines a 6-digit PIN code and then, to authenticate an action, provides the PIN to Mangopay. | Knowledge |
Mangopay is delivering SCA via a unique session on a hosted web page. The URL will be returned on the relevant API calls for enrolling factors or authenticating actions: in the response property PendingUserAction.RedirectUrl – see SCA session for details.
The same system will be used for all authentication factors, both available and planned.
OTP
In one-time passcode (OTP) authentication, the SCA session provides the Owner user a screen where they can provide (or confirm) their phone number, request an OTP by SMS, and submit it.
Once the user requests the OTP, they have 5 minutes to enter it. The total SCA session times out after 10 minutes.
The individual can enter the phone number to be used for SMS OTP during the SCA session. If your platform has already added it to the Natural User (PhoneNumber) or Legal User (LegalRepresentative.PhoneNumber) object, then the value is pre-populated in the SCA session. The individual is asked to confirm or modify the data before continuing.
Note – SCA session data doesn’t update API
The phone number provided or confirmed by the user during the SCA session is not subsequently updated in the User API object.
Changing the PhoneNumber or LegalRepresentative.PhoneNumber data in the API object triggers SCA re-enrollment.
Testing
In Sandbox, you can use the PhoneNumber +33611111111 (or 0611111111 and FR) and the passcode 702100 to simulate a successful flow.
You can also test by using a real phone number to receive the SMS OTP.
Note – LastName must finish “Review”
To trigger SCA on a user in Sandbox, you need ensure the LastName (or LegalRepresentative.LastName) value finishes with the word “Review”, as shown below.
PIN
The PIN code factor is still in development, but it will be managed via the same hosted session and RedirectUrl.
SCA-controlled actions
The regulations apply SCA to situations where a Owner user accesses or initiates certain payment activities, or to other situations considered at risk.
For Mangopay, this means the following actions will be authenticated by SCA.
| Availability | Action | Description |
|---|---|---|
Available | Creation of the user account (Owner category) | When an Owner user is registered with Mangopay, they must provide and authenticate (enroll) their phone number. This applies to first-time registration, transition from the Payer category, and enrollment of existing Owner users. |
Available | Change of authentication credentials | When an Owner user changes their phone number or email they must authenticate the new one. |
Planned: Q1 2025 | Registration of a bank account | When an Owner user registers a bank account, they must authenticate. Mangopay will be releasing a new version of the Bank Account object called Recipients. Recipients will allow validation of account details, supporting faster and more reliable local and international payouts. SCA will only be applied to Recipients. |
Planned: Q2 2025 | Transfer from one Owner user to another | Transfers from one Owner user to another are in scope of SCA. The conditions surrounding transfers are still being defined and Mangopay is developing features to support platforms’ activity and a range of exemptions. Among those already defined:
|
Planned: Q3 2025 | Access to wallet balance and transaction details | When an Owner user wishes to view their wallet balance or see past transactions crediting or debiting it, they may be required to authenticate. The conditions surrounding wallet access are still being defined but may include, for example, first-time access. |
SCA authentication will be delivered in the same way across all SCA-controlled actions: via a hosted web page returned in the response property PendingUserAction.RedirectUrl on the relevant API call. See SCA session for details on how to redirect a user for SCA.
Related resources
Was this page helpful?